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(54) Integrated policy implementation service for communication network 



(57) An integrated policy implementation service for 
a communication network where user authentication is 
integrated with QoS provisioning. The service includes 
an data communication switch connected to one or 
more policy servers. The switch transmits requests for 
user and device information to the end devices connect- 
ed to the network. The devices respond by transmitting 
responses including the user and device information to 
the switch. The switch transmits the user and device in- 
formation to the one or more policy servers for user au- 



thentication and QoS provisioning. The one or more pol- 
icy servers respond by transmitting authentication infor- 
mation and QoS information to the switch. The switch 
uses the authentication information to determine wheth- 
erto enable a network interface used by the user to com- 
municate with the network. To the extent a determination 
is made to enable the network interface, the switch uses 
the received QoS information to establish a QoS on the 
switch. The QoS is then applied to the traffic received 
from the device used by the user to communicate with 
the network. 




Printed by Jouve, 75001 PARIS (FR) 



1 



EP 1 244 265 A2 



2 



Description 

FIELD OF THE INVENTION 

[0001 ] The present Invention relates generally to data 5 
communication networks, and more particularly, data 
communication networks integrating user authentica- 
tion and quality of service provisioning into a single pol- 
icy service. 

BACKGROUND OF THE INVENTION 

[0002] Data communication networks are becoming 
more and more intelligent. One service increasing the 
intelligence of networks is user authentication. User au- 
thentication answers the question of whether a user may 
communicate in the network. Whereas legacy networks 
provided users unrestricted access the network, more 
recent vintage networks permit a user to communicate 
only after verifying the user's identity, and even then may 
allow the user to communicate only with a subset of net- 
work devices. 

[0003] Another service raising the intelligence of net- 
works is quality of service (QoS) provisioning. QoS pro- 
visioning addresses the question of how well a user may 
communicate in the network. Whereas legacy networks 
provided first-in-time delivery of packets, more recent 
vintage networks depart from first-in-time packet order- 
ing and provide different QoS for different data flows. 
[0004] QoS applies policy rules to the flows seen on 
the network. A policy rule generally includes a flow con- 
dition component and a QoS action component, and an- 
swers the question of what action should be applied to 
a flow meeting a particular condition. For example, a 
simple policy rule may take the form "treat traffic in group 
2 at priority level 3," in which case the flow condition is 
"group 2" and the QoS action is "priority level 3." 
[0005] While user authentication and QoS provision- 
ing services have created more intelligent networks, 
they have not been tightly integrated. Typically, the QoS 
provisioning task has only been initiated after the user 
authentication task has been successfully completed. 
Duplication of effort and unnecessary delay have there- 
fore resulted from such serialized policy provisioning. 

SUMMARY OF THE INVENTION 

[0006] The present invention comprises an integrated 
policy implementation service for a communication net- 
work where user authentication is integrated with QoS 
provisioning. 

[0007] In one aspect of the invention, a data commu- 
nication switch supports the integrated policy implemen- 
tation service via a single integrated policy server. The 
switch includes a first network interface that transmits 
to an end device a request for user and device informa- 
tion, and receives from the end device the requested 
user and device information. The user information may 



include a user identifier and password. The device in- 
formation may include Layer 2 and/or Layer 3 informa- 
tion such as, for example, MAC addresses, Internet Pro- 
tocol (IP) addresses, and virtual LAN (VLAN) identifiers. 
[0008] The data communication switch includes a 
management interface that transmits the received user 
and device information to the policy server and receives 
user authentication and quality of service information in 
a single control flow between the management interface 
and the policy server. The authentication information 
may include ACK/NACK indicators and/or lists of au- 
thorized ports or devices. The QoS information may in- 
clude priority and maximum bandwidth information. 
[0009] The data communication switch also includes 
a first driver, such as, for example, a port driver, that 
transitions a network resource from an unauthenticated 
to an authenticated state in response to the user authen- 
tication information. In addition, a second driver, such 
as, for example, a QoS driver, implements a quality of 
service on the switch for data flows received from the 
data communication switch in response to the quality of 
service information. 

[0010] In another aspect of the invention, the data 
communication switch supports the integrated policy im- 
plementation service via two independent policy serv- 
ers. The switch includes a management interface that 
transmits the received user information to a first policy 
server in a first control flow and receives user authenti- 
cation information from the first policy server in the first 
control flow. The management interface further trans- 
mits the received device information to a second policy 
server in a second control flow and receives quality of 
service information from the second policy server in the 
second control flow. The first and second control flows 
preferably occur in parallel. Such parallel execution of 
user authentication and QoS provisioning helps reduce 
the delays associated with serialized policy provisioning 
existing in the prior art. 



40 DESCRIPTION OF THE DRAWINGS 
[0011] 

FIG. 1 is a schematic diagram of a communication 
45 network supporting an integrated policy implemen- 
tation service; 

FIG. 2 is a more detailed schematic diagram of a 
data communication switch supporting an integrat- 
ed policy implementation service via two policy 
50 servers; 

FIG. 3 is an exemplary schematic layout diagram of 
a user authentication table stored in one of the pol- 
icy servers of FIG. 2; 

FIG. 4 is an exemplary schematic layout diagram of 
55 a QoS table stored in the other policy server of FIG. 
2; 

FIG . 5 is an exemplary flow diagram of an integrated 
policy implementation service via the two policy 



2 



3 



EP 1 244 265 A2 



4 



servers of FIG. 2; 

FIG. 6 is a more detailed schematic diagram of a 
data communication switch supporting an integrat- 
ed policy implementation service via a single inte- 
grated policy server; s 
FIG. 7 is an exemplary schematic layout diagram of 
a user authentication table stored in the integrated 
policy server of FIG. 6; 

FIG. 8 is an exemplary schematic layout diagram of 
a QoS table stored in the integrated policy server of 
FIG. 6; and 

FIG. 9 is an exemplary flow diagram of an integrated 
policy implementation service via the integrated 
policy server of FIG. 6. 

DETAILED DESCRIPTION OF THE SPECIFIC 
EMBODIMENTS 

[0012] FIG. 1 is a schematic diagram of a communi- 
cation network supporting an integrated policy imple- 
mentation service. The network Includes a data commu- 
nication switch 10 coupled to policy servers 12, 14 and 
devices 1 6a, 1 6b, 1 6c. The data communication switch 
10 is coupled to data communication switch 18 across 
a backbone network 20 via one or more core switches 
(not shown) operative in the backbone network. Data 
communication switch 18 is also coupled to a policy 
server 22 and devices 24a, 24b, 24c. 
[0013] The devices 16, 24 are preferably network 
end-stations, such as, for example, personal comput- 
ers, workstations, or servers, having respective network 
interfaces for packetized communication with other de- 
vices via the data communication switches 10, 18. The 
data communication switches 10, 18 are preferably 
gateway devices such as, for example, hubs, bridges, 
or routers, having a plurality of respective network inter- 
faces for forwarding packetized communications origi- 
nated by the devices 16, 24. The policy servers 12, 14, 
22 preferably provide authentication and QoS provision- 
ing services to the data communication switches 10,18. 
The devices 16, 24, data communication switches 10, 
1 8, and policy servers 12,14, 22 may be interconnected 
via cables or other transmission media, and may sup- 
port various data communication protocols, such as, for 
example, Ethernet, Internet Protocol, and Asynchro- 
nous Transfer Mode (ATM). 

[0014] Integrated policy implementation service is 
discussed in general terms with respect to the data com- 
munication switch 1 0 and policy servers 1 2, 1 4. The da- 
ta communication switch 10 preferably transmits re- 
quests for user and device information to the devices 1 6 
connected to the network. The devices 1 6 preferably re- 
spond by transmitting responses including the user and 
device information to the switch 1 0. The switch 1 0 pref- 
erably transmits the received user and device informa- 
tion to the policy servers 12, 14 for user authentication 
and QoS provisioning. The policy servers 12,14 prefer- 
ably respond by transmitting authentication information 



and QoS information to the switch 10. The switch 10 
preferably uses the authentication information to deter- 
mine whether to enable a network interface used by the 
user to communicate with the network. To the extent a 
determination is made to enable the network interface, 
the switch preferably uses the received QoS information 
to establish a QoS on the switch. The QoS is then ap- 
plied to the traffic received from the device used by the 
user to communicate with the network. 
[001 5] According to one embodiment of the invention, 
the integrated policy implementation service configura- 
tion preferably includes two independent policy servers 
as is illustrated by data communication switch 10 and 
policy servers 12, 14. FIG. 2 is a more detailed sche- 
matic diagram of the data communication switch 1 0 sup- 
porting an integrated policy implementation service via 
the two policy servers 12,14 (also referred to as authen- 
tication and QoS servers). The data communication 
switch 1 0 includes network interfaces 30, 31 , 32, 34 and 
a management interface 36 linked by a data bus 38. The 
network interfaces 30, 31, 32, 34 interconnect the de- 
vices 1 6, switches in the backbone network 20, and pol- 
icy servers 12, 14 over different interfaces. 
[001 6] The management interface 36 and network in- 
terfaces 30, 31 , 32, 34 are coupled to the data bus 38 
for transmitting and receiving data traffic. The manage- 
ment interface 36 and network interfaces 30, 31 , 32, 34 
are also coupled to a management bus 46 for transmit- 
ting and receiving management information preferably 
including authentication and QoS information. 
[0017] The management interface 36 supports vari- 
ous modules, including an integrated policy manager 
40, port driver 42, and QoS driver 44. The integrated 
policy manager 40, port driver 42, and QoS driver 44 
are preferably software modules. Alternatively, imple- 
mentation of the system may be accomplished in a com- 
bination of hardware, firmware (e.g. application specific 
integrated circuits or other customized circuits), and/or 
software, or by any method known in the art. 
[001 8] According to one embodiment of the invention, 
the data communication switch 10 supports integrated 
policy implementation in the following manner. The in- 
tegrated policy manager 40 transmits user and device 
information requests via the management bus 46 to the 
devices 16. 

[001 9] The devices 1 6 respond by transmitting the us- 
er and device information via the data bus 38. The user 
information preferably includes user identification infor- 
mation, such as, for example, a user ID, and user sig- 
nature information, such as, for example, a password. 
The device information preferably includes Layer 2 and/ 
or Layer 3 information, such as, for example, MAC ad- 
dresses, IP addresses, VLAN identifiers, and the like. It 
should be understood, however, that one or more of 
such device information (e.g. the MAC address) may al- 
ready be known to the data communication switch 10 
via source learning. In this scenario, the known device 
address may not need to be expressly transmitted to the 
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data communication switch. 

[0020] The user and device information packets are 
captured off the data bus 38 by the management inter- 
face 36 and forwarded to the integrated policy manager 
40. The integrated policy manager 40 proceeds to de- 
termine whether a particular user is authorized to com- 
municate in the network and identify the QoS designed 
for the user device. In this regard, the integrated policy 
manager 40, in a first control flow, transmits the received 
user information to one of the policy servers, namely, 
the authentication server 12, and receives a corre- 
sponding authentication information from the authenti- 
cation server. The authentication information preferably 
includes ACK/NACK indicators, list of authorized ports, 
and/or other authenticating information. Although FIG. 
2 illustrates a single authentication server, a network op- 
erating in accordance with the present invention may in- 
clude one or more authentication servers. 
[0021] In a second control flow, the integrated policy 
manager 40 transmits the received device information 
to the second policy server, namely, the QoS server 1 4, 
and receives the QoS information for the device from 
the QoS server. The QoS information preferably in- 
cludes priority levels, maximum bandwidth information, 
and the like. 

[0022] The first and second control flows preferably 
occur in parallel. Such parallel execution of user authen- 
tication and QoS provisioning helps reduce the delays 
associated with serialized policy provisioning. 
[0023] FIG. 3 is an exemplary schematic layout dia- 
gram of a user authentication table 50 stored in the au- 
thentication server 12. The authentication table 50 may 
be created and organized using tools such as, for ex- 
ample, NetWare®, which is commercially available from 
Novell, Inc. In one exemplary embodiment, the authen- 
tication table 50 suitably comprises a set of user authen- 
ticating information that may be arranged in a variety of 
ways, but is most advantageously configured as se- 
quential entries, with each entry specific to a particular 
user to be authorized. A particular entry of the table 50 
may include a unique user identifier 52, such as, for ex- 
ample, an identification number, character, or combina- 
tion of numbers and characters. A particular entry may 
further include a user signature, such as, for example, 
a user password 54, for verifying the user seeking ac- 
cess to the network. In addition to the above, a particular 
entry may include time restriction information 56 as well 
as authorized resource information 58 for the particular 
user. The time restriction information preferably defines 
times during which the particular user is authorized to 
use the network resources, such as, for example, the 
day of the week, time of the day, and length of permitted 
access. The list of authorized network resources is pref- 
erably a list of authorized network interfaces and/or de- 
vices. 

[0024] The authentication server 12 preferably utiliz- 
es the authentication table 50 to authorize a user in the 
manner described in U.S. Patent No. 6,070,243, the 



contents of which are hereby incorporated by reference. 
The protocol used for user authentication may include 
RADIUS, LDAP (Lightweight Directory Access Proto- 
col), COPS (Common Open Policy Service), or any oth- 
5 er authentication protocol known in the art, either alone 
or in combination. 

[0025] In general terms, however, upon receipt of the 
user information from the data communication switch 
10, the authentication server 12 preferably compares 
the received information with the user identification and 
signature information stored in the server 12. The au- 
thentication server 12 may further determine whether 
any time restrictions associated with the user identifica- 
tion information are applicable. If the authentication 
server 12 verifies that the user is an authorized user of 
the network resources, and that the user is authorized 
to use the network resources at the time of the log-in 
attempt, the server preferably transmits to the data com- 
munication switch 10 an ACK indicator and/or the list of 
network resources for which the user is authorized. The 
authentication server 12 may also transmit, along with 
the list of resources, any time restrictions applicable to 
the usage. The integrated policy manager 40 may then 
invoke the port driver 42 to establish network connec- 
tivity rules on the network interface 32 used by the user 
to communicate with the network. Specifically, the port 
driver preferably enables the authorized network re- 
sources by transitioning them from an unauthenticated 
state to an authenticated state. The integrated policy 
manager 40 may also perform time restriction process- 
ing based on the time restriction information 56. 
[0026] FIG. 4 is an exemplary schematic layout dia- 
gram of a QoS table 60 stored in the QoS server 1 4. The 
QoS table 60 preferably comprises a set of flow condi- 
tions 62 and QoS actions 64 matching each of the flow 
conditions. The flow conditions 62 may include MAC ad- 
dresses, IP addresses, VLAN identifiers, slot/port iden- 
tifiers, IP protocols, interface types, and the like. The 
QoS actions 64 specify at least a priority level indicative 
of a priority given to traffic meeting the flow condition. 
The QoS actions 64 may further indicate a maximum 
bandwidth, minimum bandwidth, peak bandwidth, prior- 
ity, latency, jitter, maximum queue depth, maximum 
queue buffers, and the like. 

[0027] In identifying an applicable QoS for the traffic 
received from the device, the integrated policy manager 
40 preferably uses LDAP or COPS to transmit a QoS 
request with the device information to the QoS server 
14. Upon receipt of the device information, the QoS 
server 14 identifies a flow condition and returns the cor- 
responding QoS action to the data communication 
switch 10. The QoS action packets are captured off the 
data bus 38 by the management interface 36 and for- 
warded to the integrated policy manager 40. The inte- 
grated policy manager 40 then notifies the QoS driver 
44 to implement the QoS action on the switch. According 
to one embodiment of the invention, the data communi- 
cation switch 10 may store the flow condition and the 
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received QoS action in a cache for future use, as is dis- 
closed in the application entitled "ON-SWITCH POLICY 
RULE CACHING FOR DATA COMMUNICATION 
SWITCH," filed on September 1 3, 2000, the contents of 
which are hereby incorporated by reference. 
[0028] FIG. 5 is an exemplary flow diagram of an in- 
tegrated policy implementation service supported by the 
switch 10 via the two policy servers 12, 14. In step 70, 
the management interface 36 preferably transmits a us- 
er and device information request to the devices 16. In 
step 72, the management interface 36 receives the re- 
quested user and device information from the devices 
16. In a first control flow indicated by steps 74 and 76, 
the integrated policy manager 40 transmits a user au- 
thentication request with the user information to the au- 
thentication server 12 and receives back the user au- 
thentication information indicating whether the user has 
been authenticated. 

[0029] In a second control flow indicated by steps 78 
and 80, the integrated policy manager 40 transmits a 
QoS request with the device information to QoS server 
14 and receives back the QoS information for the traffic 
originating from the device. The first and second control 
flows preferably over in parallel. 
[0030] In step 82, an inquiry is made as to whether 
the user authentication was successful. If the authenti- 
cation was successful, the integrated policy manager 40 
preferably invokes the port driver 42 and the QoS driver 
44 to enable the appropriate network interface and im- 
plement the identified QoS on the data communication 
switch 10. 

[0031 ] According to an alternative embodiment of the 
invention, the integrated policy implementation service 
configuration includes a single integrated policy server, 
as is illustrated by data communication switch 18 and 
policy server 22. FIG. 6 is a more detailed schematic 
diagram of the data communication switch 18 support- 
ing an integrated policy implementation service via the 
single policy server 22 (also referred to as an integrated 
policy server). The data communication switch 18 in- 
cludes network interfaces 90, 92, 94, 96 and manage- 
ment interface 98 linked by data bus 100. The network 
interfaces 90, 92, 94, 96 interconnect the devices 24, 
switches in the backbone network 20, and integrated 
policy server 22 over different interfaces. 
[0032] The management interface 98 and network in- 
terfaces 90, 92, 94, 96 are coupled to the data bus 1 00 
for transmitting and receiving data traffic. The manage- 
ment interface 98 and network interfaces 90, 92, 94, 96 
are also coupled to a management bus 102 for trans- 
mitting and receiving management information includ- 
ing authentication and QoS information. 
[0033] The management interface 98 supports vari- 
ous modules, including an integrated policy manager 
104, port driver 106, and QoS driver 108. The policy 
manager 104, port driver 106, and QoS driver 108 are 
preferably software modules. Alternatively, implementa- 
tion of the system may be accomplished in a combina- 



tion of hardware, firmware (e.g. application specific in- 
tegrated circuits or other customized circuits), and/or 
software, or by any method known in the art. 
[0034] According to one embodiment of the invention, 
s the data communication switch 18 supports integrated 
policy implementation in the following manner. The in- 
tegrated policy preferably manager 1 04 transmits user 
and device information requests via the management 
bus 1 02 to the devices 24. 

[0035] The devices 24 respond by transmitting the us- 
er and device information via the data bus 1 00. The user 
information preferably includes user identification infor- 
mation, such as, for example, a user ID, and user sig- 
nature information, such as,, for example, a password. 
The device information preferably includes Layer 2 and/ 
or Layer 3 information, such as, for example, MAC ad- 
dresses, IP addresses, virtual LAN identifiers, and the 
like. It should be understood, however, that one or more 
of such device information (e.g. the MAC address) may 
already be known to the data communication switch 18 
via source learning. In this scenario, the known device 
address may not need to be expressly transmitted to the 
data communication switch. 

[0036] The user and device information packets are 
captured off the data bus 1 00 by the management inter- 
face 98 and forwarded to the integrated policy manager 
1 04. The integrated policy manager 1 04 proceeds to de- 
termine whether a particular user is authorized to com- 
municate in the network and identify the QoS designed 
for the user device. In this regard, the integrated policy 
manager 104, preferably in a single control flow, trans- 
mits to the integrated policy server 22 the received user 
and device information, and receives from the integrat- 
ed policy server 22 a corresponding authentication and 
QoS information. The authentication information prefer- 
ably includes ACK/NACK indicators, list of authorized 
parts, and/or other authenticating information. The QoS 
information preferably includes priority levels, maximum 
bandwidth information, and the like. 
[0037] FIG. 7 is an exemplary schematic layout dia- 
gram of a user authentication table 110 stored in the in- 
tegrated policy server 22. The authentication table 50 
may be created and organized using tools such as, for 
example, NetWare®, which is commercially available 
from Novell, Inc. In one exemplary embodiment, the au- 
thentication table 110 suitably comprises a set of user 
authenticating information that may be arranged in a va- 
riety of ways, but is most advantageously configured as 
sequential entries, with each entry specific to a particu- 
lar user to be authorized. A particular entry of the table 
110 includes a unique user identifier 112, such as, for 
example, an identification number, character, or combi- 
nation of numbers and characters. A particular entry fur- 
ther includes a. user signature, such as, for example, a 
user password 114, for verifying the user seeking ac- 
cess to the network. In addition to the above, a particular 
entry includes time restriction information 1 1 6 as well as 
authorized resource information 118 for the particular 
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user The time restriction information preferably defines 
times during which the particular user is authorized to 
use the network resources, such as, for example, the 
day of the week, time of the day, and length of permitted 
access. The list of authorized network resources is pref- 5 
erably a list of authorized network interfaces and/or de- 
vices. 

[0038] FIG. 8 is an exemplary schematic layout dia- 
gram of a QoS table 120 also stored in the integrated 
policy server 22. The QoS table 1 20 preferably compris- 
es a set of flow conditions 1 22 and QoS actions 1 24 
matching each of the flow conditions. The flow condi- 
tions 122 preferably include MAC addresses, IP ad- 
dresses, VLAN identifiers, slot/port identifiers, IP proto- 
cols, interface types, and the like. The QoS actions 124 
specify at least a priority level indicative of a priority giv- 
en to traffic meeting the flow condition. The QoS actions 
124 may further indicate a maximum bandwidth, mini- 
mum bandwidth, peak bandwidth, priority, latency, jitter, 
maximum queue depth, maximum queue buffers, and 
the like. 

[0039] According to one embodiment of the invention, 
the authentication and QoS tables 110, 120 are stored 
in one or more databases hosted by the integrated pol- 
icy server 22. The database(s) preferably reside in one 
or more mass storage devices, such as, for example, 
hard disk drives, or drive arrays. 
[0040] The integrated policy server 22 preferably uti- 
lizes the authentication table 110 to authorize a user in 
the manner described in U.S. Patent No. 6,070,243, the 
contents of which are hereby incorporated by reference. 
The protocol used for user authentication may include 
RADIUS, LDAP (Lightweight Directory Access Proto- 
col), COPS, or any other authentication protocol known 
in the art, either alone or in combination. The integrated 
policy server 22 further uses the QoS table 120 to iden- 
tify the appropriate QoS based on the device informa- 
tion. The protocol used to transmit a QoS request is pref- 
erably LDAP or COPS. 

[0041] In general terms, upon receipt of the user and 
device information from the data communication switch 
18, the integrated policy manager 104 proceeds to ob- 
tain the authentication and QoS information preferably 
in a single control flow between the data communication 
switch and the integrated policy server 22. In this regard, 
the integrated policy server preferably compares the re- 
ceived user identification and signature information with 
the information stored in the authentication table 110. If 
the user is verified, the integrated policy server 22 also 
determines whether any time restrictions associated 
with the user identification information are applicable. 
[0042] The integrated policy server 22 further pro- 
ceeds to identify an applicable QoS based on the re- 
ceived device information. In this regard, the integrated 
policy server 22 interrogates the QoS table 120 to iden- 
tify a flow condition and returns the corresponding QoS 
action. 

[0043] The integrated policy server 22 then transmits 



the user authentication and QoS information to the data 
communication switch 18. If the integrated policy server 
22 verifies that the user is an authorized user of the net- 
work resources, and that the user is authorized to use 
the network resources at the time of the log-in attempt, 
the server transmits to the data communication switch 
22 an ACK indicator and/or the list of network resources 
for which the user is authorized. The integrated policy 
server 22 may also transmit, along with the list of re- 
sources, any time restrictions applicable to the usage. 
The integrated policy server 22 also transmits to the da- 
ta communication switch 18 the identified QoS action 
including priority level, maximum bandwidth, and the 
like. 

[0044] The authentication and QoS action packets 
are captured off the data bus 100 by the management 
interface 98 and forwarded to the integrated policy man- 
ager 104. The integrated policy manager 104 then in- 
vokes the port driver 1 06 to establish network connec- 
tivity rules on the network interface 94 used by the user 
to communicate with the network. Specifically, the port 
driver enables the authorized network resources by 
transitioning them from an unauthenticated state to an 
authenticated state. 

[0045] The integrated policy manager also invokes 
the QoS driver 1 08 to implement the QoS action on the 
switch. According to one embodiment of the invention, 
the data communication switch 18 may store the flow 
condition and the received QoS action, in the cache for 
future use, as is disclosed in the application entitled 
"ON-SWITCH POLICY RULE CACHING FOR DATA 
COMMUNICATION SWITCH," filed on September 13, 
2000, the contents of which are hereby incorporated by 
reference. 

[0046] FIG. 9 is an exemplary flow diagram of an in- 
tegrated policy implementation service supported by the 
switch 18 via the single integrated policy server 22. In 
step 1 30, the management interface 98 transmits a user 
and device information request to the devices 24. In step 
1 32, the management interface 98 receives the request- 
ed user and device information from the devices 24. In 
step 134, the integrated policy manager 104 transmits 
the user and device information to the integrated policy 
server 22 in a request for user authentication and QoS 
provisioning. In step 1 36, the integrated policy manager 
104 receives the user authentication information and 
QoS information if the user has been authenticated. In 
step 138, an inquiry is made as to whether the user au- 
thentication was successful. If the authentication was 
successful, the integrated policy manager 104 invokes 
the port driver 106 and QoS driver 108 to enable the 
appropriate network interface and implement the iden- 
tified QoS on the data communication switch 18. 
[0047] According to one embodiment of the invention, 
the switches 1 0, 1 8 may be arranged to be operative in 
independent (two policy servers) and integrated (one 
policy server) modes. The type of mode selected is pref- 
erably automatically determined based on the current 
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comprising means for transitioning a network re- 
source from an unauthenticated to an authenticated 
state in response to the user authentication infor- 
mation. 

5 

6. The data communication switch of claim 1 further 
comprising means for implementing a quality of 
service on the switch in response to the quality of 
service information for data flows received from the 

10 end device. 

7. The data communication switch of claim 1 , wherein 
the user authentication information includes a list of 
authorized network resources. 

15 

8. The data communication switch of claim 1 , wherein 
the quality of service information includes a quality 
of service action to be applied to data flows received 
from the end device. 

20 

9. The data communication switch of claim 1 further 
comprising: 



service configuration. 

[0048] Although this invention has been described in 
certain specific embodiments, those skilled in the art will 
have no difficulty devising variations which in no way 
depart from the scope and spirit of the present invention. 
It is therefore to be understood that this invention may 
be practiced otherwise than is specifically described. 
Thus, the present embodiments of the invention should 
be considered in all respects as illustrative and not re- 
strictive, the scope of the invention to be indicated by 
the appended claims and their equivalents rather than 
the foregoing description. 



Claims 

1. A data communication switch in a communication 
network including an end device and one or more 
policy servers, the data communication switch for 
use in an integrated policy implementation service 
for the network, the data communication switch 
comprising: 

means for transmitting to the end device a re- 
quest for a plurality of information; 
means for receiving from the end device the re- 
quested plurality of information; 
means for concurrently transmitting to the one 
or more policy servers the received plurality of 
information; and 

means for concurrently receiving from the one 
or more policy servers user authentication and 
quality of service information, the user authen- 
tication and quality of service information being 
based on the transmitted plurality of informa- 
tion. 

2. The data communication switch of claim 1 , wherein 
the plurality of information includes user and device 
information. 

3. The data communication switch of claim 1 , wherein 
the switch is in communication with one policy serv- 
er, the one policy server including: 

means for retrieving the user authentication in- 
formation; and 

means for retrieving the quality of service infor- 
mation. 

4. The data communication switch of claim 1 , wherein 
the switch is in communication with two policy serv- 
ers, the first policy server including means for re- 
trieving the user authentication information and the 
second policy server including means for retrieving 
the quality of service information. 

5. The data communication switch of claim 1 further 



a first mode for supporting a single policy serv- 
25 er; 

a second mode for supporting two policy serv- 
ers; and 

means for selecting between the first mode and 
the second mode. 

30 

10. A data communication switch in a communication 
network including an end device and a policy server, 
the data communication switch for use in an inte- 
grated policy implementation service for the net- 
35 work, the data communication switch comprising: 

a first network interface transmitting to the end 
device a request for a plurality of information 
and receiving from the end device the request- 
40 ed plurality of information; 

a management interface coupled to the first 
network interface, the management interface 
transmitting the received plurality of informa- 
tion to the policy server and the policy server 
45 retrieving user authentication and quality of 

service information in response to the plurality 
of information and concurrently communicating 
the retrieved user authentication and quality of 
service information to the management inter- 
50 face; 

a first driver coupled to the management inter- 
face, the first driver transitioning a network re- 
source from an unauthenticated to an authen- 
ticated state in response to the user authenti- 
55 cation information; and 

a second driver coupled to the management in- 
terface, the second driver implementing a qual- 
ity of service on the switch for data flows re- 
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ceived from the end device in response to the 
quality of service information. 

11. The data communication switch of claim 10, where- 
in the plurality of information includes user and de- 
vice information. 

1 2. The data communication switch of claim 1 0, where- 
in the user authentication information includes a list 
of authorized network resources, 

1 3. The data communication switch of claim 1 0, where- 
in the quality of service information includes a qual- 
ity of service action to be applied to data flows re- 
ceived from end device. 

14. A data communication switch in a communication 
network including an end device and a policy server, 
the data communication switch for use in an inte- 
grated policy implementation service for the net- 
work, the data communication switch comprising: 

a first network interface transmitting to the end 
device a request for a plurality of information 
and receiving from the end device the request- 
ed plurality of information; 
a management interface coupled to the first 
network interface, the management interface 
transmitting the received plurality of informa- 
tion to the policy server in a single control flow 
and receiving user authentication and quality of 
service information from the policy server in the 
control flow; 

a first driver coupled to the management inter- 
face, the first driver transitioning a network re- 
source from an unauthenticated to an authen- 
ticated state in response to the user authenti- 
cation information; and 

a second driver coupled to the management in- 
terface, the second driver implementing a qual- 
ity of service on the switch for data flows re- 
ceived from the end device in response to the 
quality of service information. 

1 5. The data communication switch of claim 1 4, where- 
in the plurality of information includes user and de- 
vice information. 

1 6. The data communication switch of claim 1 4, where- 
in the user authentication information includes a list 
of authorized network resources. 

17. The data communication switch of claim 1 4, where- 
in the quality of service information includes a qual- 
ity of service action to be applied to data flows re- 
ceived from the end device. 

18. A data communication switch in a communication 



network including an end device, a first policy serv- 
er, and a second policy server, the data communi- 
cation switch for use in an integrated policy imple- 
mentation service for the network, the data commu- 
5 nication switch comprising: 

a first network interface transmitting to the end 
device a request for a plurality of information 
and receiving from the end device the request- 
to ed plurality of information; 

a management interface coupled to the first 
network interface transmitting to the first policy 
server in a first control flow a first portion of the 
plurality of the information and receiving from 
15 the first policy server in the first control flow user 

authentication information, the management 
interface further transmitting to the second pol- 
icy server in a second control flow a second por- 
tion of the plurality of the information and re- 
20 ceiving from the second policy server in the 

second control flow a quality of service informa- 
tion, wherein the first control flow occurs con- 
currently with the second control flow; 
a first driver coupled to the management inter- 
25 face, the first driver transitioning a network re- 

source from an unauthenticated to an authen- 
ticated state in response to the user authenti- 
cation information; and 

a second driver coupled to the management in- 
30 terface, the second driver implementing a qual- 

ity of service on the switch for data flows re- 
ceived from the end device in response to the 
quality of sen/ice information. 

35 1 9. The data communication switch of claim 1 8, where- 
in the plurality of information includes user and de- 
vice information. 

20. The data communication switch of claim 1 8, where- 
40 jn the user authentication information includes a list 

of authorized network resources. 

21 . The data communication switch of claim 1 8, where- 
in the quality of service information includes a qual- 
ms ity of service action to be applied to data flows re- 
ceived on the switch. 

22. A data communication switch in a communication 
network including an end device and one or more 

so policy servers, a method for integrated policy imple- 
mentation service for the network comprising: 

transmitting to the end device a request for a 
plurality of information; 
55 receiving from the end device the requested 

plurality of information; 

transmitting to the one or more policy servers 
the received plurality of information; and 
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receiving from the one or more policy servers 
user authentication information concurrently 
with quality of service information, the user au- 
thentication and quality of service information 
being based on the transmitted plurality of in- 
formation. 

23. The method of claim 22, wherein the plurality of in- 
formation includes user and device information. 

24. The method of claim 22 further comprising: 

retrieving the user authentication information; 
and 

retrieving the quality of service information. 

25. The method of claim 22 further comprising transi- 
tioning a network resource from an unauthenticated 
to an authenticated state in response to the user 
authentication information. 

26. The method of claim 22 further comprising imple- 
menting a quality of service on the switch for data 
flows received from the end device in response to 
the quality of service information. 

27. The method of claim 22, wherein the user authen- 
tication information includes a list of authorized net- 
work resources. 

28. The method of claim 22, wherein the quality of serv- 
ice information includes a quality of service action 
to be applied to data flows received on the switch. 

29. The method of claim 22 further comprising selecting 
between a first mode supporting a single policy 
server and a second mode supporting two policy 
servers. 

30. In a communication network including a switch 
communicating with an end device, a first policy 
server, and a second policy server, a method for in- 
tegrated policy implementation service for the net- 
work comprising: 



16 

a quality of service information; 
wherein the first control flow occurs concurrent- 
ly with the second control flow. 

5 31 . The method of claim 30, wherein the plurality of in- 
formation includes user and device information. 

32. The method of claim 30 further comprising transi- 
tioning a network resource from an unauthenticated 
to an authenticated state in response to the user 
authentication information. 

33. The method of claim 30 further comprising imple- 
menting a quality of service on the switch for data 
flows received from the end device in response to 
the quality of service information. 

34. The method of claim 30, wherein the user authen- 
tication information includes a list of authorized net- 
work resources. 

35. The method of claim 30, wherein the quality of serv- 
ice Information includes a quality of service action 
to be applied to data flows received on the switch. 
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transmitting to the end device a request for a 
plurality of information; 

receiving from the end device the requested 
plurality of information; 

transmitting to the first policy server in a first so 
control flow a first portion of the plurality of the 
information and receiving from the first policy 
server in the first control flow user authentica- 
tion information; and 

transmitting to the second policy server in a 55 
second control flow a second portion of the plu- 
rality of the information and receiving from the 
second policy server in the second control flow 
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FIG. 9 
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